Cryptanalysis of Lee–Hwang–Yang blind signature scheme

https://doi.org/10.1016/j.csi.2008.02.002Get rights and content

Abstract

In 2005, Lee et al. proposed a blind signature scheme based on the discrete-logarithm problem to achieve the untraceability or unlinkability property. Later, Wu and Wang proposed a simplified version of Lee et al.'s scheme. However, both of the two schemes will be demonstrated as not being secure in this manuscript. We design an attack on both of the two schemes such that a signature requester can obtain more than one valid signatures by performing only one round of the protocol. It violates an important security requirement of blind signatures.

Introduction

In 1982, Chaum proposed the concept of blind signatures [3], which makes it information theoretically impossible for a signer to derive the link between a signature and the instance of the signing operation that produced the blinded form of the signature. This is usually referred to as the unlinkability or untraceability property. Due to the unlinkability property and the unforgeabilty of the signatures, blind signatures have been widely applied to untraceable electronic cash protocols [3], [5], [11] and anonymous electronic voting systems [6], [9], [12], [13], [15]. In addition, some other applications, such as fair proxy raffle protocols [4] and privacy preserving protocols [1], based on blind signatures have also been introduced.

Recently, several blind signature schemes based on the discrete-logarithm problem have been proposed and discussed in [2], [7], [8], [10]. In 1994, Carmenish et al. [2] introduced a blind signature scheme based on the discrete-logarithm problem. In 1995, Harn [7] pointed out that Carmenish et al.'s scheme cannot satisfy the requirement of untraceability. However, Horster et al. [8] claimed that Harn's cryptanalysis is not correct. Later, in 2005, Lee et al. [10] showed that Horster et al.'s comment on Harn's attack [7] was wrong. Thus, they proposed an improved blind signature scheme in [10] to enhance the security of Carmenish et al.'s scheme for withstanding the attack introduced in [7]. In the same year, Wu and Wang [16] proposed a simplfied version of the scheme in [10].

In a secure blind signature scheme, it must be guaranteed that any signature requester can acquire at most w signatures if the requester performs w rounds of the protocol with the signer where w is a positive integer [14]. In this manuscript, we will show that there exists a security flaw in both of the schemes of [10], [16] such that a signature requester can obtain two valid signatures by performing only one round of the protocol with the signer. It turns out that the schemes of [10], [16] are insecure. If we adopt any of the two schemes to construct an electronic cash system, a malicious customer can successfully obtain two electronic coins by performing a one-coin withdrawing procedure without being detected by the bank of the electronic cash system. This will result in loss of the bank but the identity of the malicious customer cannot be derived due to the unlinkability of the blind signature. Similarly, when we apply any of the two schemes to an electronic voting system, a malicious voter can acquire two valid electronic votes without being detected by the tally center of the electronic cash system. This will cause incorrectness of the tally result of the voting while the identity of the malicious voter cannot be derived.

The rest of this manuscript is organized as follows. In Section 2, we briefly review Lee–Hwang–Yang scheme of [10]. The proposed attack is presented in Section 3. Finally, a concluding remark is given in Section 4.

Section snippets

Review of Lee–Hwang–Yang blind signature scheme

In this section, we briefly review the blind signature scheme proposed by Lee, Hwang, and Yang [10]. There are two kinds of roles in the scheme: a signer and a group of signature requesters, where signature requesters request signatures from the signer and the signer issues blind signatures to the requesters. The details of [10] are described as follows:

Initially, the signer chooses two large primes (p, q) and an integer g where q|(p  1) and g is a generator with order q in Zp⁎. The signer

An attack on Lee et al.'s blind signature scheme

First, we will assume that there is no external security mechanism to support Lee et al.'s blind signature scheme when we run our attack. This is usually a common assumption when we discuss the security of almost all of the blind signatures in order to ensure the security even if they are performed alone [14].

In the protocol of Section 2, if the requester is dishonest, she/he can obtain two valid signatures on two distinct messages mα and mβ, respectively, by performing only once of the

Conclusions

In this manuscript we have demonstrated that not only Lee et al.'s blind signature scheme but also Wu et al.'s blind signature scheme are not secure. Once we apply any of the two schemes to an ultraceable electronic cash system, a customer (i.e., a signature requester) can obtain two valid electronic coins (i.e., two valid signatures) after she/he performs a withdrawing procedure for one coin with the bank (i.e., the signer). It will result in loss of the bank. Similarly, if any of the two

Acknowledgement

We would like to thank Editor-in-Chief and the anonymous referees of this manuscript for their valuable comments.

References (16)

There are more references available in the full text version of this article.
View full text
Copyright © 2008 Elsevier B.V. All rights reserved.